Social media guidance finalized by regulators

My two sons love to tease me about the paltry 52 friends I have on Facebook, compared to theirs that each number well over 600. I don’t even post updates that often, so the few friends I have probably have forgotten me by now anyway.

I must admit that I’m not a big user of social media. You may even share my feelings. But that doesn’t mean you can ignore social media.

It’s been almost a year in the making. Back in January 2013, the Federal Financial Institutions Examination Council proposed the guidance. On Dec. 11, 2013, the guidance was issued in final form. It took effect immediately upon issuance, and applies to all institutions supervised by the Comptroller’s Office, Federal Reserve System, FDIC, NCUA, and CFPB.

The guidance gives institutions some indication as to the regulators’ expectations relating to the use of social media. The regulators claim that the guidance does not impose any new requirements on financial institutions.

Not completely true.

Yes, the guidance consists mostly of a list of existing laws and regulations and how they are affected if the institution uses social media (and in some cases, doesn’t use social media).

However, the guidance also contains the regulatory expectation (AKA requirement) that financial institutions have a risk management program related to social media. There is also some risk assessment needed by a financial institution that has chosen not to use social media.

Yes, this means that in either case, you have to do something.

For nonparticipants, the guidance says that those financial institution should still consider the potential for negative comments or complaints that may arise within the many social media platforms, and when appropriate, evaluate, what, if any, action it will take to monitor them and respond.

So, even if a financial institution isn’t tweeting or blogging or facebooking, etc., it may still have an obligation under the guidance to assess the risk presented by social media from external sources.

On the other hand, risk management really should be an automatic part of everyday life for the compliance manager. If social media has been in use by a financial institution, a risk assessment and risk management program should have been one of the first steps in the planning and implementation process of bringing social media on board.

In fact, even if your bank doesn’t use social media, employees may be doing so. There is also a stated regulatory expectation in the new document that financial institutions should provide guidance and training to employees on appropriate official use of social media. The training should cover the institution’s policies and procedures for official work-related use of social media and include what the institution considers impermissible use of social media by employees.

Review reveals clarifications, gray areas, and landmines

There’s plenty in this regulation for Compliance to chew on.

• Is government monitoring information being gathered? Institutions will have to examine their practices, and those of any third-party vendors they employ, that might collect demographic information about social media site users. The same regulations the prohibit financial institutions from requesting and collecting race, ethnicity, national origin, and gender information from applicants—unless specifically authorized by type of loan application—would apply in a social media site via electronic or data mining means.

A financial institution may not even realize this is being done with the technology it has purchased or licensed.

• Is the FDIC membership message required? I was particularly interested to see final guidance on the use of the “Member FDIC” advertising statement in social media. The guidance says: “The official advertisement statement must appear, even in a message that promotes nonspecific banking products and services, if it includes the name of the insured depository institution but does not list or describe particular product or services.” Clarification on this subject was needed.

• Must banks monitor what’s being said about them in social media? There was much concern expressed prior to the final guidance being issued that the regulators were going to expect or mandate institutions to monitor external social media sites for references, comments, or discussion about an institution regardless of the institution’s participation in social media or whether the activity was on the institution’s own social media sites.

The guidance places this issue squarely into the gray area of maybe yes, maybe no. It becomes a risk decision and something a financial institution should consider after making a risk assessment.

• Where does UDAAP fit in? UDAAP was mentioned in the guidance, but not too much guidance was provided. Institutions must ensure that information that is communicated on social media sites is accurate and not misleading and consistent with other information delivered through other channels. No big news flash here!

"Lucy and Nancy’s Common Sense Compliance” is blogged by both Lucy Griffin and Nancy Derr-Castiglione, both Banking Exchange contributing editors on compliance. Nancy, a Certified Regulatory Compliance Manager, is owner of D-C Compliance Services, an independent regulatory compliance consulting services business that has provided expertise in compliance training, monitoring, risk assessment, and policies and procedures to financial institutions since 2002. Previously, Nancy held compliance positions with Bank One Corporation and with United Banks of Colorado. In addition to serving as a Contributing Editor of Banking Exchange, Nancy has served on the ABA Compliance Executive Committee; National and Graduate Compliance Schools board; conference planning committees, and the Editorial Advisory Board for the ABA Bank Compliance magazine. She can be reached at [email protected]